Microsoft, Google, Amazon Web Services, Atlassian and AUCloud today gave evidence to the Parliamentary Joint Committee on Intelligence and Security on the protocols and systems that would operate in the event of a cyberattack on Australian infrastructure.

The committee is examining the Security Legislation Amendment (Critical Infrastructure) Bill, proposed legislation that is becoming crucial as Australia responds to the alarming increase in cyberattacks and ransomware attacks on infrastructure and supply lines.

The issues raised included government powers, the applications of warrants, and the time frame for notifying the Australian Signals Directorate. Google was against the use of ASD software on company systems.

In the company’s opening statement, Amazon Web Services ANZ head of public policy Roger Somerville said that while AWS was aligned with the committee’s broader objectives, it was worried about the government wanting to give itself broad powers to gather information, issue directions, or act autonomously to directly intervene in an asset when there was a cyberattack.

“For example, the Government can independently determine there is a threat, independently determine not to consult with the regulated entity, independently determine what the regulated entity must do, and there is no recourse for a regulated entity to challenge these determinations before a judge on their merits,” he said.

“This package of independently exercisable and unreviewable powers is too broad, is inconsistent with a healthy separation of powers, and should be reconsidered.

“The Government also proposes an unprecedented assistance power allowing it to step-in and directly intervene in an entity’s operations to take whatever action it deems appropriate to respond to a serious cyber security incident.

“We don’t understand how – given the complexity of various assets – the Government could reasonably believe such step-in powers could be exercised quickly, operate effectively, and still achieve the Government’s aim.

“We believe that introducing these powers could increase security risks and undermine trust in service providers who operate in or from Australia. We think the risk of unintended consequences from the Government attempting to direct or operate systems that are not their own outweighs any benefit of the Government’s intervention. “

Mr Somerville said it also had concerns about how the Bill would apply specifically to the “data storage or processing” sector.

“We think all significant data storage and processing facilities should be secured to the same high level to achieve the government’s aims – regardless of whether a critical infrastructure entity chooses to manage, process, host, or store data in the public cloud, in third-party data centres, ‘on-premises’ within its own data centres, or in some other ‘hybrid’ model.”

Tech companies baulked at the idea that the Australian Signals Directorate should install software on networks that can be activated in the event of a cyberattack.

Shane Huntley, director, threat analysis group at Google Security, told the inquiry this move could be counter-productive.

“I do not believe that when encountering a situation that installing ASD software on our networks would be of assistance,” he said. “We have a good working relationship with ACSC (Australian Cyber Security Centre) and there has been productive threat sharing.

“We believe that there is a productive means to collaborate as collaborators, not as coercion or, in stepping in to operate our systems and to install stuff on our systems. That is where we draw from line.

“If there is an incident we would absolutely want to work with ASD and others in Australia to get whatever assistance information insights they can give us, and to collaborate.

“The one specific point I‘m making is that I do not believe that there is a situation where, installing ASD software on our networks or our systems, especially in the heat of an incident, is actually going to cause anything except more problems and it’s not going to help the solution.”

His view was backed by some other panel members in the discussion.

Committee chair Senator James Patterson described the views as “pretty profound evidence”.

In a second panel discussion, Ryan Gillis, VP, cybersecurity strategy and global policy, Palo Alto Networks said enterprise level organisations had tools that didn’t talk with each other. He called for investment in better sharing “techniques of information through automated means”.

“The ability to share automated data with context is going to be key for us to get ahead of the attacker,” he said.

“The last panel talked a good deal about entities swimming in data that is not actionable, that is a problem that exists at the enterprise level. Organisations right now have tools that don‘t talk to each other.

“When you expand that out to the sharing in between that is particularly expounded as a problem.”

The committee will be hearing from other witnesses during the day.

More related stories

Business

Uber urges Aussies to give up second car to fight climate change

Ride share giant Uber says transitioning to EVs is not enough to slash automotive emissions and congestion as it urges Australians to consider giving up their second car.

Read more

Technology

Medibank doubles the number of staff who have ‘gift day’

Australia’s biggest health insurer says more staff are “willing to go above and beyond” as part of a new program allowing staff to work four days per week with no loss of pay.

Read more